Changeset d04f7da in mod_gnutls


Ignore:
Timestamp:
Apr 7, 2015, 12:28:40 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
2cde026d
Parents:
2cde8111
Message:

Version guards for gnutls_privkey_import_openpgp_raw workaround

The invalid free bug in gnutls_privkey_import_openpgp_raw should be
fixed in GnuTLS 3.3.12 [1], so add appropriate version guards and use
the workaround only with older versions.

[1] https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a#commitcomment-10581365

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r2cde8111 rd04f7da  
    170170        /* OpenPGP Certificate Private Key */
    171171    gnutls_privkey_t privkey_pgp;
    172     /* Internal structure for the OpenPGP private key. DO NOT USE
    173      * outside key loading. */
     172#if GNUTLS_VERSION_NUMBER < 0x030312
     173    /* Internal structure for the OpenPGP private key, used in the
     174     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
     175     * frees memory that is still needed. DO NOT USE for any other
     176     * purpose. */
    174177    gnutls_openpgp_privkey_t privkey_pgp_internal;
     178#endif
    175179
    176180    /* Export full certificates to CGI environment: */
  • src/gnutls_config.c

    r2cde8111 rd04f7da  
    422422        }
    423423
    424         /* Theoretically, this chain of gnutls_openpgp_privkey_init,
     424#if GNUTLS_VERSION_NUMBER < 0x030312
     425        /* GnuTLS versions before 3.3.12 contain a bug in
     426         * gnutls_privkey_import_openpgp_raw which frees data that is
     427         * accessed when the key is used, leading to segfault. Loading
     428         * the key into a gnutls_openpgp_privkey_t and then assigning
     429         * it to the gnutls_privkey_t works around the bug, hence this
     430         * chain of gnutls_openpgp_privkey_init,
    425431         * gnutls_openpgp_privkey_import and
    426          * gnutls_privkey_import_openpgp could be replaced with one
    427          * call to gnutls_privkey_import_openpgp_raw as shown
    428          * below. However, that led to a segfault during handshake
    429          * which disappeared with the three step method.
    430          *
    431          * ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
    432          *                                         GNUTLS_OPENPGP_FMT_BASE64,
    433          *                                         NULL, NULL); */
     432         * gnutls_privkey_import_openpgp. */
    434433        ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
    435434        if (ret != 0) {
     
    464463            goto cleanup;
    465464        }
     465#else
     466        ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
     467                                                GNUTLS_OPENPGP_FMT_BASE64,
     468                                                NULL, NULL);
     469        if (ret != 0)
     470        {
     471            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     472                         "GnuTLS: Failed to Import "
     473                         "PGP Private Key '%s': (%d) %s",
     474                         sc->pgp_key_file, ret, gnutls_strerror(ret));
     475            ret = -1;
     476            goto cleanup;
     477        }
     478#endif
    466479    }
    467480
  • src/gnutls_hooks.c

    r2cde8111 rd04f7da  
    369369         * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
    370370         * Workaround from:
    371          * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12
    372          *
    373          * TODO: add appropriate version guards */
     371         * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
    374372#if GNUTLS_VERSION_NUMBER < 0x030312
    375373        gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
Note: See TracChangeset for help on using the changeset viewer.